The developers behind the video call platform that gained popularity during the coronavirus pandemic, Zoom, said Thursday that they solved a recent security flaw that could allow the dissemination of identity theft campaigns (phishing).
The Zoom video call application has the “Vanity URL” option that allows organizations customize url email address with which they invite users to join a specific video call.
This security breach, discovered by Check Point researchers, allows cybercriminals to send seemingly harmless invitations to different meetings through Zoom with the aim of infiltrating malware and steal data or credentials from that user.
The security flaw of the “Vanity URL” was identified in January, and the security company considers that cybercriminals have been able to manipulate a ‘url’ through direct links as a target, by which the cybercriminal could change the ‘url’ of the invitation to include a registered sub-domain of your choice. That is, if the original link was’ https://zoom.us/j/########## ‘, the attacker could change it to’ https: //.zoom.us/j/## ######### ‘.
But also through attacks directed at Custom Zoom web interfaces. Some companies have their own Zoom web interface for conferences. A cybercriminal could attack this interface and try to redirect a user to enter a meeting ID in Vanity’s malicious url, instead of the authentic Zoom web interface.
In both cases, as highlighted by the company, “without specific cybersecurity training, the victim of these attacks may not be able to recognize the malicious url and may be a victim of the attack.”
With either method, an attacker could pose as a company employee through Zoom, stealing credentials or sensitive information.
A succession of security problems
With the coronavirus crisis and the condition of isolation that is submerging much of the world’s population, Zoom grew remarkably and many computer security specialists decided to analyze it for vulnerabilities. After submitting it to an examination, the tool showed that it may be a victim of cyber attacks, since it reveals the private data of users.
It was a young hacker named Matthew Hickey who found this flaw last April in the Microsoft operating system and posted the details on his Twitter account (@HackerFantastic).
This security breach allowed the hacker to access the access data, username and password of Windows, in order to start video calls without the creator of the room having given authorization.
As the platform’s success grew in tandem with the Covid-19 pandemic, Zoom exposed certain security issues that involved him with pornography and abusive practices. The specialists called it “zoombombing”.
Due to the configuration and design of the platform, unknown users could link to a video call by contacting the session URL and if the host had not taken the necessary protection measures. This resulted in dozens of forays by strangers into video calls.
In addition to these “active” attacks, there can also be a more “passive” foray where the attacker goes unnoticed if it is a large enough video conference. In this way the hacker could get information from the video call or record it without the permission of others.